Court to hear challenge to GCHQ bulk hacking of phones and computers

A challenge to GCHQ’s use of non-specific warrants to authorise the bulk hacking of smartphones, computers and networks in the UK is starting at the court of appeal.

The case, brought by the campaign group Privacy International (PI), is the latest twist in a protracted battle about both the legality of bulk surveillance and the primacy of civil courts over an intelligence tribunal that operates partly in secret.

The original claim dates back to 2014 and was brought at the investigatory powers tribunal (IPT) following revelations by the American whistleblower Edward Snowden who exposed the extent of surveillance carried out by the US’s National Security Agency and the UK’s GCHQ.

The IPT hears complaints about government surveillance and the intelligence services. Some of its hearings are held behind closed doors.

PI, along with seven internet service providers, argued that computer network exploitation (CNE) carried out by GCHQ, the government monitoring station in Cheltenham, breaches human rights.

At the first hearing, Ben Jaffey QC, for PI, argued that since the 18th century the common law has opposed the use of such non-specific warrants.

In February last year, however, the IPT ruled that the legal regime under which warrants were issued for the agency to carry out equipment interference, or hacking, in the UK was compatible with the European convention on human rights. The decision said that warrants do not need to be “defined by reference to named or identified individuals”.

Frustrated at the outcome, PI launched a judicial review of the IPT’s decision in the high court because there was, effectively, no right of appeal from the tribunal. In February this year, the high court ruled in favour of GCHQ and the Foreign Office, rejecting the judicial review challenge.

On Thursday, the next stage of the legal battle goes before the court of appeal. In advance of the hearing, Scarlet Kim, a legal officer at PI, said: “The [IPT] unlawfully sanctioned the UK government’s use of sweeping powers to hack hundreds or thousands of people’s computers and phones with a single warrant. Rather than debate the necessity and proportionality of their expansive hacking powers, the government is instead arguing that the UK courts should have no jurisdiction to review the legality of the tribunal’s decisions.

“Too often, the government justifies intrusive surveillance powers by telling the public that ‘if you have nothing to hide, you have nothing to fear’. We throw that mantra back to the government: ‘If you have nothing to hide about your hacking, you have nothing to hide from our courts.’”

If PI loses the case it could be ordered to pay up to £25,000 of the government’s legal costs under a “protective costs order” that caps its liabilities. To pay for the challenge, the organisation has launched a crowdfunding appeal through the website CrowdJustice.

In its appeal, PI argues: “Hacking actually makes us less safe because it compromises the technology that is increasingly embedded into the fabric of our lives. By hacking our devices, the government is choosing to take advantage of security holes, which leaves us all more vulnerable to future cyber-attacks. By hacking, the government has deliberately chosen to make our technology less secure than it can be.”

Welcoming the IPT judgment in 2015, the then foreign secretary, Philip Hammond, said: “A proper balance is being struck between the need to keep Britain safe and the protection of individuals’ privacy.”

He added: “The ability to exploit computer networks plays a crucial part in our ability to protect the British public. Once again, the law and practice around our security and intelligence agencies’ capabilities and procedures have been scrutinised by an independent body and [have] been confirmed to be lawful and proportionate.”